Manage cyber crises with resilience, says former DOJ official

NEW YORK — Companies should focus on resilience and managing crises when it comes to cyber threats, says a former Justice Department official.

Nobody blames a company for being hit by a hurricane, said John P. Carlin, a partner with Morrison & Foerster L.L.P. in Washington, D.C., who was formerly assistant attorney general for the U.S. Department of Justice’s national security division, in making an analogy between a cyber attack and a hurricane. He spoke at the Professional Liability Underwriting Society’s 2018 directors & officers symposium in New York on Thursday.

The test should be on a firm’s ability “to get back into business after the hurricane,” he said during a one-on-one interview with Jack Flug, New York-based managing director within Marsh L.L.C.’s FINPRO practice, its financial and professional insurance group, during the symposium.

“That mindset is relatively new, and requires the business side of the house to be very actively engaged,” said Mr. Carlin.

Mr. Carlin said over the past 25 to 30 years, everything of value has moved from an analog to a digital space, but “no one calculated the risk of what could occur. Over the past couple of years, it’s becoming a more traditional area of risk management” within companies, he said, with firms making governance changes on handling cyber risks.

Mr. Carlin also said when it comes to ransomware, firms often have not decided in advance who is delegated to make decisions, even though firms are faced with a situation where a clock is ticking on their computer screens.

Mr. Carlin agreed with Mr. Flug that companies should have dry runs for how to proceed if they are infiltrated. He said insurers can insist this be one of the issues covered as part of having a reasonable standard that would entitle them to coverage.

Firms “should be doing exercises with the executive leadership team,” including dealing with issues such as who is making the call to the media and whether to freeze trading, he said.

He also recommended table top exercises conducted by the board of directors, both because it shows the board is exercising a reasonable standard of dare and to emphasis the board’s proper role.

By conducting exercises, he said, “they will find unexpected risks,” as well as certain things they are “not comfortable with,” Mr. Carlin said. “Keep running those exercises, at least on an annual basis,” he said.

During a discussion on the Internet of Things, Mr. Carlin said just as with the internet’s original use, “they’re not building security in by design.” While significant resources may be spent on safety protocols for new products, often only a small amount is devoted to connecting the product to the internet, he said.

Also discussed during the session was North Korea’s hacking into Sony Corp.’s Sony Pictures Entertainment in 2014, which stemmed from its evident unhappiness over Sony’s movie, “The Interview.”

The situation “led to a couple of unique moments,” including a briefing with President Obama on a matter of national security that “that started with a plot synopsis of a movie about pot smokers,” said Mr. Carlin. “No one predicted” that movie would lead to a nation-state crisis, he added.